Hacker Hits British Navy Website with SQL Injection Attack

A hacker exploited a SQL injection vulnerability on the Royal Navy Website to steal administrator passwords and usernames.

A hacker reportedly exploited a SQL injection vulnerability on the Website of Britain's Royal Navy, according to media reports.

The incident took place Nov. 5, when a hacker known by the alias TinKode is believed to have attacked the site and stolen passwords and usernames. Right now, the site bears the message stating that: "Unfortunately the Royal Navy's Website is currently undergoing essential maintenance. Please visit again soon."

TinKode posted about the attack on Twitter and linked to his security blog, where visitors could find more information about the attack. The hacker, who is believed to be Romanian, has been tied in the past to attacks against NASA and U.S. Army-owned sites as well, Sophos Senior Technology Consultant Graham Cluley told eWEEK.

"TinKode's attack is particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber-attacks was declared in the National Security Strategy to be a 'highest priority for UK national security' alongside international terrorism, international military crises and major accidents/natural hazards," Cluley blogged.

"We can all be thankful that Tinkode's activities appear to be have been more mischievous than dangerous," he added. "If someone with more malice in mind had hacked the site they could have used it to post malicious links on the Navy's JackSpeak blog, or embedded a Trojan horse into the site's main page."

SQL injection is a well-known class of vulnerabilities found on the Web. According to a recent report from White Hat Security, SQL injections are the sixth most prevalent attack class, though cross-site scripting and information leakage were in the lead by far. SQL injection also was mentioned as a topic on the "2010 CWE/SANS Top 25 Most Dangerous Software Errors" list released in February.

In an article here, eWEEK compiled a list of tips to help organizations prevent SQL injection vulnerabilities before hackers get a chance to exploit them.

In a statement, the Royal Navy reportedly said that the Website had been temporarily suspended.

"Security teams are investigating," according to the statement. "Access to this Website did not give the hacker access to any classified information."

"Hopefully efforts are in place now to secure any vulnerabilities and reduce the chances of such a serious security breach happening again in future," Cluley blogged. "It is to be hoped that the ultimate impact of this attack will be egg on the face of the Ministry of Defence (and better security practices in future), rather than a more significant assault on a Website presenting the public face of an important part of the armed forces."